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Abstract 


The runway excursions are defined as the exit of an aircraft from the surface 
of the runway. These excursions can take place at takeoff or at landing and consist 
of two types of events: veer off and overrun. This last one, which occurs when the 
aircraft exceeds the limits at the end of the runway, is the event of interest in the 
current study. This chapter aims to present an accident model with a new approach 
in aeronautical systems, based on the tasks of the pilots related to the operational 
procedures necessary for the approach and landing, in order to obtain the chain 
of events that lead to this type of accident. Thus, the tree-network overrun model 
(TNO model) was proposed, unlike most traditional models, which consider only 
the hardware failures or which do not satisfactorily explain the interrelationship 
between the factors influencing the operator. The proposed model is developed ina 
fault tree and transformed into a Bayesian network up to the level of the basic ele- 
ments. The results showed the qualitative model of the main tasks performed by the 
pilots and their relation to the accident. It has also been suggested how to find and 
estimate the probability of factors that can impact on each of the tasks. 


Keywords: overrun, TNO model, fault tree, Bayesian networks, safety, aviation 


1. Introduction 


Around the world, the occurrence of runway excursions in commercial and 
general aviation is the highest ones. The International Air Transport Association 
(IATA) and the International Civil Aviation Organization (ICAO), through the 
Runway Excursion Risk Reduction Toolkit [1], define runway excursions as the exit 
of an aircraft from the surface of the track. These excursions might take place at 
takeoff or landing and consist of two types of events: veer off and overrun. For the 
landing, they can be described as: 


e Veer off (LDVO): when there is an exit in which the aircraft exceeds the lateral 
limits of a runway in the landing phase. 


e Overrun (LDOR): when overtaking occurs at the end of the runway during the 
landing phase. Event of interest of the current study. 
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The latest Boeing data from a survey conducted from 2006 to 2015 show that 
the final phase and landing phase together account for 49% of fatal accidents in the 
world’s commercial jet fleet [2]. The number of onboard fatalities on the aircraft in 
these same phases of flight accounts for 47% of the total. The statistic was evaluated 
according to the aircraft exposure time for each of the mentioned phases (percent- 
age of flight time estimated for 1.5-h flight). The phases of this study interest— 
descent, initial approach, final approach, and landing—correspond together to 59% 
of fatal accidents and 61% of fatalities on board. 


1.1 Literature review 


Most of the aviation accident statistics cited in the literature today begins with 
the data collected in the late 1950s and early 1960s, and it is possible to observe 
a marked decline in the accident rate [3]. Beginning in the 1950s, a number of 
research efforts was undertaken to document the precise location of aircraft acci- 
dents so that effective data safety and security planning could be obtained from the 
airport and its surroundings. It is noteworthy that “the airport and its neighbors” 
identified the location of more than 30 military and commercial aircraft accidents, 
which occurred outside the physical boundaries of the airport with fatal victims 
or injured people on soil [4]. Despite limited data, this report led to the establish- 
ment of “clear zones,” which are now known as “track protection zones.” Besides 
that, they also brought important contributions to the literature: “Air Installation 
Compatible Use Zone (AICUZ) Program” of the US Department of Defense served 
to define potential areas of accident for military aircraft, known as “accident poten- 
tial zones (APZs)” [5]; “location of aircraft accidents/incidents relative to runways,” 
compiled data on the location of accidents with commercial airplanes on the airport 
runway [6]; and surveys conducted by the Airline Pilots Association indicated 
that 5% of accidents occur in route, 15% occur in the vicinity of airports, while the 
remaining 80% occur on runways, overpass areas, and clear zones [7]. However, the 
increasing complexity in technological systems, such as aviation systems, maritime 
systems, air traffic control, telecommunications, nuclear plants, aerospace defense 
systems among others, has raised points of discussion about modes of failure and 
related new issues to security, such as the analysis of human factors and organiza- 
tional factors in a system. 

To reduce these negative effects, it has been observed that studies are being car- 
ried out with a larger number of samples (accidents or incidents). As an example, 
there are the accident analysis studies developed by [8-14]. Asa result, it was 
observed that this distance differs for each type of operation, whether landing or 
takeoff, as well as for each type of accident, whether overrun, undershoot, or veer 
off. The studies previously mentioned were important to present the differences 
among the events on runway excursions and to report which runway conditions 
influence each type of the accident. They also showed that aircraft operational 
factors are important in the analysis of an accident. Despite the contributions 
mentioned, they were mainly limited to environmental factors and models based 
on historical data. The relationship between occurrences and human performance 
factors, for example, was not explained. 

Many researchers have attempted to develop theories or models to describe 
the causes of an accident [15]. One of the earliest models of accident causes is the 
“Domino theory” proposed by Heinrich in the 1940s, which describes an accident 
as a chain of discrete events occurring in a particular temporal order [16]. This 
theory belongs to the class of models of sequential accidents or models based on 
accident events, which gave subsidies for most models of analysis of accidents 
introduced later [17]. These models were known to use causality methods such 
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as: failure mode and effect analysis (FMEA), fault tree analysis (FTA), event 

tree analysis (ETA), and cause-consequence analysis (CCA). A large part of this 
approach has been strongly criticized for being based only on causal relationships 
among the events [18-20]. 


1.2 Concept of the study 


Safety is generally understood as a state of the transportation system; therefore, 
it has a qualitative nature. In aviation, there are neither widely accepted security 
measures, nor is there a common agreement on the limits of the indicators that can 
be considered acceptable [21]. In this context, interdisciplinary research and studies 
are necessary to understand the complexity of sociotechnical systems [18, 20]. In 
addition, through a broad systemic view, one can understand the multidimensional 
aspects of safety, to later achieve the modeling of accidents in a more global way. 

Since the middle of the last century, safety models of the technical and human 
parts of the systems have been introduced [17]. Further studies provided important 
reviews of the various existing accident models [22-26]. The latter one presents an 
extensive research with 121 accident models described and their applications. In [25], 
the authors develop quantitative indicators to assess the status of the flight team and 
the impact of these indicators in air traffic safety. In [22], the authors particularly 
review the models of accident analysis, and in [27], the author develops a model for 
analysis of incidents using petri net, both for air traffic. In [28], the authors present a 
proposal to relate human factors, abilities, organizational factors and environmental 
factors to the task being performed by the pilot. This application proposes several 
relationships between these factors. These authors based on literature and research 
with pilots in flight simulators to obtain the results of relationship of the factors. A 
summary of the major accident models identified are highlighted in Table 1 
[12, 29-36]. 

The most recent model presents the purpose of this study. The methods or 
techniques that were used in these analyzes are shown in Table 2. The latter table 
was adapted according to the categories presented in [24] to classify the methods 
and/or techniques used. Thus, accident models can be divided into four categories: 
(i) causality model, (ii) collision risk model, (iii) human error models, and 
(iv) third-party risk model. 

The TNO model is conceptually similar to [40], which uses the same tools to 
develop the model’s ship collision accident. These authors used fault tree to obtain 


# MAIN MODELS OF ACCIDENTS IN AVIATION ORIGINAL OR ADAPTED 

1 Reich—Mark Model [29] Original 

2 SHELL Model [30] Adapted from [37] 

3 CRM Model [31] Original 

4 HFACS Model [32] Adapted from — Cheese Model 
5 Flight Model [33] Original 

6 Impact Relationship Map Model (IRM) [34] Original 

7 Approach Model (ACRP 50) [12] Original 

8 CATS Model [35] Original 

9 Accident Model STAMP-HFACS [36] Adapted from STAMP Model [39] 
10 Tree-Network Overrun Model (TNO Model) Original 


Table 1. 
Identification of aviation accident models. 
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CATEGORY CHARACTERISTICS Marar s Foi 5 
The models address the risk and Fault Tree Analysis ae 
safety assessment of aircraft —  Evyent tree analysis a Rebay 
operations, particularly, failures a Risk analysis 
CAUSALITY of certain technical systems and Se amam Carlon 
MODEL components that result in an cael atieet Systems Reliability 
aircraft accident. Failures can be 
due to many interrelated causes Bayesian network Systems Remy 
(aircraft and ATC / ATM). Human Reliability 
Ma = ms os Systems Reliability 
COLLISION The models cover the assessment simulation — 
RISK MODEL of the risk of collision of aircraft Bayesian newak Systems Reliability 
in flight and / or on the ground. Human Reliability 
Petri network Risk analysis 
HAZOP Risk analysis 
The models address the Fuzzy Logic 
HUMAN assessment of accidents and TE 
ERROR incidents due to human error HEART Finan Retalalily 
MODEL (errors associated, mainly with HERA 
pilots and air traffic controllers). Systems Reliability 


PAPERS RENEE: Human Reliabili 
THIRD- The models address the risk Matrix of Probability 


assessment targeted at the and Consequence 
PARTY RISK ~¥ & —_ Or 
airport area people, who may be 
MODEL i Lu ‘ 
affected in an aviation accident. 


Risk analysis 
Probabilits Equations 


Table 2. 
Category of accident models vs. accident investigation methods. 


the main human failures related to the ship’s crew tasks, and Bayesian networks 
(BNs) to obtain the probability of collision and the relationships between the 
contributing factors. Two other models similar to the proposed model are the flight 
model [33] and CATS model [35]. The first presents a model in Bayesian networks 
with a selection of contributing factors in order to obtain the probability of an avia- 
tion accident. Despite the contribution of human and organizational factors, this 
model does not represent the main operational procedures, nor does all the flight 
phases. The second one, CATS model [35], presents an aviation accident model 
developed by fault tree, where human failure is the only element that is obtained by 
Bayesian networks. This implies that the top event is static in relation to the other 
factors, making it impossible to obtain the contribution of this element with the 
accident and the possibility of the relationship between the various factors of the 
tree. 

The objective of this chapter is to present a probabilistic accident model for 
the landing overrun of medium and large aircraft with the purpose of evaluating 
operational safety during approach and landing through the pilot-aircraft interface, 
considering the main operational procedures and the pilot's tasks. So that, it is pos- 
sible from these elements to observe the abilities and human factors of pilots, the 
performance of the airline, airport infrastructure, and environmental conditions in 
the field of commercial aviation. 


2. Development of the TNO model 


The methodology presents the fault tree developed to represent the chain of 
events, which brings the consequences of human errors. Thus, this topic presents 
the development of FTA and its basic elements. Then, the FTA is transformed into 
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a Bayesian network (BN). For each basic event, a BN is developed related to the task 
it is associated with, in which the performance factors will be aggregated. These fac- 
tors, as well as the development of the model are presented throughout this chapter. 

The methodology of this research presents four stages—familiarization, quali- 
tative analysis, quantitative analysis, and incorporation to obtain the proposed 
accident model. These steps were adapted from the methodology proposed by [41] 
that aimed a human reliability analysis (HRA). 

In the familiarization stage, besides the literature review, it was consulted 
the technical documentation of entities related to the sector to understand the 
operation and to describe the procedures of approach and landing of medium 
and large commercial aircraft and their flight stages, in addition to the current 
norms emanating from the competent organs. The following references were 
used: ALAR report [11], risk analysis report [8], ACRP 3 [10], TAM general 
operations manual [42], Flight Crew Training Manual for Aircraft Model A319, 
A320 and A321 [43], Flight Crew Operation Manual [44], and Flight Crew 
Training Manual for the 737NG [45]. In addition, fieldwork was carried out in 
an A-320 aircraft simulator; consultation with specialists—pilots and industry 
analysts—was an important point for the development of the model, showing the 
best coherence among the relationships between the operational procedures and 
the pilots’ activities. Finally, the accident analysis presents the NTSB database 
data on the causes of accidents of the LDO type, which helped the analysis of the 
relationships of the elements of the proposed model. Step 2 basically presents the 
FTA technique and the BN method used to construct the proposed model. Step 3, 
in summary, concerns the population of network elements developed by the 
model. And, step 4 presents the results and inferences. 


2.1 Fault tree in the construction of the TNO model 


The fault tree analysis (FTA) technique is widely used in aerospace, nuclear, and elec- 
tronic systems [46]. FTA is a quantitative technique of the type “top-down” in which the 
top event refers to a single event from which the intermediate events lead to component 
failures as well as to human actions. Logical trees can be used both for a qualitative and 
quantitative evaluation of the system; they employ a deductive procedure to determine 
the possible causes of an event of interest located at the top of the tree that may be the fault 
or success in the execution of a given mission. The qualitative evaluation aims at identify- 
ing the cause-effect relationship between the events that may contribute to the occurrence 
of the top event (of interest) as well as its logical dependencies, while the quantitative 
evaluation aims to determine the probability of occurrence of the same top event from the 
probability of occurrence of the events that make up the tree. Moreover, the final objective 
of a qualitative analysis of an FTA is mainly the probability of occurrence of events, in 
addition to obtaining the set of minimum cuts and prioritizing them according to their 
order. Table 3 shows the logic gates used in the current study. 

It is important to emphasize that the quantitative evaluation is deterministic 
and performed from the basic events, not allowing a diagnostic evaluation based 
on the evidence, and in both qualitative and quantitative analyzes, the basic events 
are considered Boolean; that is, they have only two possible states. Then, the logic 
of the model is represented by Boolean algebra rules, where each variable may have 
one of the binary values corresponding to the concepts of true (1) or false (0) [47]. 
If the top event is the failure of a system in the execution of a given mission, the tree 
is said to be faulty, and if the top event is the success of the system, the tree is said to 
be successful. In the latter case, it is said that the probability P of the top event will 
be the reliability of the system being analyzed, while in the first one, the reliability 
of the system will be 1-P (top event). 
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LOGICAL GATE SYMBOL DEFINITION 
AND A) The exit event only occurs if all entry events occur. 
OR (_] The exit event occurs if at least one of the entry events 
occurs. 
OR it The exit event occurs if at least one, but not all, entry 
EXCLUSIVE oS events occur. 
Table 3. 


Logical gates used in the model. 


2.2 Operational procedures selected for the TNO model 


The development of the proposed model followed steps in which each element 
was designated by a number in the FTA, symbolized in the parentheses: 


i. 


ii. 


iii. 


iv. 


V. 


It was highlighted the landing overrun as the top event (#1). 


In order for an overrun to occur, it was determined that two situations must 
occur simultaneously: the “unwanted state in the operation of the aircraft” 
(#2) and the “flight crew did not go-around the aircraft” (#16). This asso- 
ciation is warranted by the Flight Crew Training Manual for the A319, A320, 
and A321 [43] aircrafts and Flight Crew Training Manual for the 737NG [45] 
aircraft that indicate the go-around for destabilized approach in order to 
avoid a runway excursion. Therefore, the connection of these factors was 
represented by an “E” logic gate. It is worth noting that in the BN model, this 
event assumed a 75% probability of overrun occurrence when both danger- 
ous events occur, and 25% of the accident does not occur under the same 
conditions, according to [48]. This condition is not represented in the FTA 
because of its Boolean structure. 


The “unwanted state in the operation of the aircraft” event implies in two 
situations: “unwanted state in the descent” (#3) or “unwanted state in the 
landing” (#39). Either of these two situations makes the landing operation 
unwanted. This way, the logic gate “OR” was used. 


For the “unwanted state in the descent” event to occur (#3), two situations 

were observed: “undesired state in the briefing” (#4) or “unwanted state in 
flight management” (#17). Either of these two dangerous events can lead to 
an undesired state of descent. 


The “unwanted state in the briefing” (#4) was designed in consultation 
with experts. This way, they obtained two dangerous events: the nonexist- 
ent briefing (#5), when the flight crew decides not to make the necessary 
configurations for the descent procedure, and the inadequate briefing (#8) 
when the flight crew performs the task but does not meet the appropriate 
safety conditions, classified as incomplete (#14) or incorrect (#9). For 

the “unwanted state in flight management” (#17), they considered three 
situations: “inadequate checklist” (#18), “inadequate flight control” (#25) 
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V 


me 


or “inadequate final approach” (#32), all linked to a logic gate “OR.” These 
events and their ramifications were arranged according to the consultation 
of the possible dangerous events with experts and are based on the descrip- 
tion of operational safety reports [49-52]. According to the literature, the 
cause of the factors is linked to omission or error in action, criteria not 

met for stabilized approximation, inadequate monitoring, among others. 
Additionally, the basic events were obtained with observations in the field 
and consultation with specialists. According to the pilots, once an error 
occurs in the procedure, it is quickly detected by the flight crew. The detec- 
tion of the error in some of the activities developed in the proposed model 
has practically a 100% chance to occur. However, the error correction action 
may be flawed, as represented in FTA and BN (#20, #27, #34). 


. Finally, the event “unwanted landing state” (#39) was considered to occur 


when there is an “unfavorable runway” (#40) or “inadequate braking” 
(#41). Therefore, the connection of these factors was represented by an 
“OR” logic gate. Such a link was justified according to the flight simulator 
cockpit monitoring, where an overrun event was observed in both conditions, 
with the approach stabilized until the moment of landing consultation with 
experts also suggested the occurrence of this dangerous event. In addition, 
the hazardous event “inadequate braking” (#41) presents the “landing gear 
procedure error” (#42) and the error in the reverse procedure (#43) as basic 
events. In the fault tree, the designated logic gate was “OU.” However, the 
relationship of these two events was modeled in the BN with the ratio of 80% 
being braking adequate when the landing gear procedure is adequate and the 
reverse procedure is inadequate, and 20% of braking adequate when landing 
gear procedure is inadequate and the reverse procedure is appropriate. This 
condition is not represented in the FTA because of its Boolean structure. 


The framework of the model proposed in FTA is in Figure 1. The pilot tasks that 
must be analyzed in the proposed model are listed in Table 4. The model elements 
with negligible failure are chosen based on field research and consultation with 
experts. 


Landing 
Overrun 


Lal wr 
UNWANTED STATE : LunwatereD stare w S m 
ManacemeNT 


Figure 1. 
Fault tree with basic events that lead to landing overrun. 
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F BASIC EVENT c DESCRIPTION 
16 Flight crew did not The flight crew decides, depending on the approach conditions of the aircraft and 
go-round the local infrastructure, whether the landing will be carried out or discontinued. 
42 


Prisrddang Error during landing gear procedure for not following aircraft standards and / or 


landing gear 
co standard. 
procedure P SAE 
Error duri 
43 oe nes Error during power eversor procedure for not following aircraft standards and / or 
P company standard. 
procedure 


According to experts, the unfavorable runway is the one that is contaminated (by 
water, oil, ice, etc.), improper grooving (grooves that help the liquid run in the 
runway and increase the grip in contact with the tires) and / or one of the headers 
ant it is forbidden for any reason, reducing the length of the runway. 


Unfavorable 
runway 


Error during the 
drag control 


8 
36 Execution time E 
error 
5 FMS indication 
presence 
1 
9 


Error during the drag control procedure (spoilers and speedbrakes) for not 


i following the aircraft norms and / or standard of the company. 


Action at the wrong time. 


3 Flight Management System that assists the monitoring of aircraft control. 
3 Parameters control Error in observing, monitoring or indicating the parameters used for speed, descent 
error rate and power used for an adequate landing. 


Inadequate 
monitoring 
23 Error detected Identification of error. 
Electronic 

28 indication of the 
system status 


24 Checklist error Checklist non-compliant with the company's security policy. 


22 Attention error | [| Due to lack of attention to the senses, the individual makes an erroneous selection. 


2 Wrong identification or unrealized observation. 


The status of the aircraft is indicated by the Electronic Centralized Aircraft 
Monitoring before its approach (for example: ECAM, for the Airbus fleet). 


Presence of the Appeal (printed and electronic checklist) used by the flight crew to perform the 
21 item in the Checklist, that is, the verification of items and actions required for landing the 
checklist aircraft. 
Landing 5 oag ‘ A n 
15 Danean Riven Landing briefing not in accordance with company safety policy. 
13 Inadequate ATC Information on airspace control and airport of destination that is incomplete or non- 
information compliant with safety regulations. 
12 į Inadequate Diagnostic failure. 
interpretation 
11 Proper ATC Information on airspace control and airport of destination given in accordance with 
Information safety standards. 
z se in a ny Error in decision making. 


not to do briefing 
A: elements of model that represent the pilot task that must be analyzed; 
B: elements of model with negligible failure; 

C: elements of model that represent environmental and human conditions. 


Table 4. 
Basic elements of the fault tree (FTA). 


2.3 Bayesian network in the construction of the TNO model 


Bayesian network (BN) is defined as a graphical structure for representing 
the probabilistic relationships among a large number of variables and for making 
probabilistic inferences with those variables [53]. Bayesian networks—also known as 
opinion networks, causal networks, or graphs of dependency—are graphic reason- 
ing models based on uncertainty that use the concept of probability as the analyst's 
degree of belief, allowing for expert judgments to be used as information to support 
a decision-making process related to complex systems [54-56]. The BNs showed to 
be useful in studies of system reliability [40, 57] and in risk analysis studies [58-60]. 
Yet, it has been applied to complex systems such as nuclear plants [61, 62], maritime 
transport [63, 64], and in the last 10 years, several studies on human reliability are 
also being developed in aviation using BNs [24, 28, 33, 35, 65-71]. 

A BN isa directed acyclic graph (DAG), which is defined as G = (V,E), where V 
are the nodes representing either discrete or continuous variables and E is a set of 
ordered pairs of distinct elements of V, called arcs (or edges), and represents the 
dependencies between the nodes. The conditional probabilities associated with the 
variables are the quantitative components. The nodes and arcs are the qualitative 
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components of the networks and provide a set of conditional independence 
assumptions, which means that each arc built from variable X to variable Y is a 
direct dependence, such as a cause-effect relationship and, in that case, the node 
representing variable X is said to be a parent node of node Y [53]. 

Each node within a Bayesian network is classified as “parent,” “child,” or both. 
These classifications relate to their respective relations to other nodes, where 
children nodes are those connected to antecedent nodes or are influenced by other 
nodes; parents are those connected to decedent nodes or which have an influence 
on other nodes [72]. Once we have specified the topology, we need to specify the 
conditional probability table (CPT) for each node. Each row in the table contains 
the conditional probability of each node value for a conditioning case. A condition- 
ing case is just a possible combination of values for the parent nodes. 

Considering a BN containing n nodes, X; to X,,, taken in that order, a particular 
value in the joint distribution is represented by P(X, = x1, X2 = X2, ..., Xn = Xn), Or 
more compactly, P(x1, x2, ...) Xn), and the chain rule of probability theory allows to 
factorize these joint probabilities as shown in Eq. (1). Then, this process is repeated, 
reducing each conjunctival probability to a conditional probability and a smaller 
conjunction, until it forms a great product as shown in Eq. (2). 


Pos gh) = Pal -Xn -1)P(x1|P (X1, ---3Xn-1) (1) 


PiX Xn) =P (EA Xise ya (Anil hipaa) 


P(x Polri = [ha o Ciesa) (2) 


P(x4|x2,...%n) = []i1P(x;|Parents (X;)) (3) 


Jeees 


The quantitative analysis is based on the conditional independence assumption. 
Considering three random variables X, Y, and Z, X is said to be conditionally inde- 
pendent of Y given Z, if P(X,Y/Z) = P(X/Z)P(Y/Z). The joint probability distribution 
of a set of variables, based on conditional independence, can be factorized as shown 
in Eq. (3) since the constraint defined in Eq. (4) is verified. This equation allows 
obtaining any joint probability from values found in conditional probabilities tables, 
in the case of discrete variables, or from the conditional probability density func- 
tion, for continuous variables. A complete example can be found in [69]. 


Parents (Xi) C {X1, ...,Xi-1} (4) 


Thus, each entry in the joint is represented by the product of the appropriate ele- 
ments of the conditional probability tables (CPTs) in the belief network. The CPTs 
therefore provide a decomposed representation of the joint. The possibility of using 
evidences of the system to reassess the probabilities of network events is another 
important feature of the BNs. Given some evidence, beliefs can be recalculated to 
evaluate their impact on the network nodes. The process of obtaining a posteriori 
probability from a priori probability is called Bayesian inference [53]. As empha- 
sized by [73], inferences can be made using Bayesian networks in three distinct 
ways: causal, diagnostic, and intercausal. 


2.4 Fault tree conversion in Bayesian networks 


It is possible to combine a structured methodology as fault tree with the model- 
ing and analytical power of the Bayesian network [74]. The authors also point 
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P(alb,c)=1 NODEA) P@!bc)=0 
P (a | b,-c)=0 P (a | b, -c)=1 
P (a | -b,c)=0 P (a | -b,c)=1 


P(al-b,-c)=0 P(al-b,-c)=0 


P(c| b)=0 
P (c | -b) = P(b)P(-a) 
P (b) P (c) P (b) 


Figure 2. 
BN to logic gate “E” (at the left) and the logic gate “Exclusive OR” (at the right). 


out that any fault tree can be converted into a Bayesian network without losing 
information. It is important to note that the flexibility of Bayesian network model- 
ing can accommodate several types of dependencies among variables that cannot 
be included in fault tree modeling. Studies have shown that the transformation of a 
problem described by a fault tree into a Bayesian network is not a complex process 
[74, 75]. To convert the fault tree into a Bayesian network, the basic premises of the 
standard FTA methodology are highlighted, as follows [74]: 


e events are binary (example: appropriate/not appropriate); 
e events are statistically independent; 


e the relations between events and causes are represented by logic gates through 
Boolean logic, i.e., AND and OR gates; and 


e the root of the fault tree is the unwanted event; i.e., it is the top event to be 
analyzed. 


Thus, one node must be created for each event and for each basic element in the 
FTA. It is important to note that in BN, each element in the FTA must be repre- 
sented only once, even if there are repetitions in the fault tree. Then, the nodes must 
be connected, according to the logic gates present in the FTA. 

A subsystem composed of a logical gate whose Boolean algebra is of any nature 
(union, intersection, excluding union, or others) with k branched components, being 
events or subsystems, which can be converted into their corresponding Bayesian net- 
work. If the logical gate is represented by a union, then, only the nonoccurrence of all 
events avoids the occurrence of the top event, i.e., (EME()... NED, where P (Top|zNE,/)... NE.) = 0, 
and any other combination of £, leads to such occurrence. It is highlighted that accord- 
ing to Morgan’s theorem (propositions for simplifying expressions in Boolean algebra), 
x‘ indicates the complementary event of X, where (XU Y U Z)C = Xen Yen Zce 
(X AYN Z)C = Xcl YcU. Considering that the logic gate represents an intersection, 
only the simultaneous occurrence of all events leads to the top event, that is, only P 
(Top|E1QE2n...QEk) is not null, being it equal to 1. Figure 2 illustrates the conversion 
of FTA into BN. Each of the figures has two independent basic events A and B and the 
top event C. 


3. Results 
The result of the FTA transformation in BN is presented, qualitatively, in Figure 3. 


The Bayesian network of the proposed model presents two states, negative and 
positive, for each node. The negative state represents the probability of occurrence 
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Figure 3: Bayesian Network for the chain of events that lead to landing overrun 


Figure 3. 
Bayesian network for the chain of events that lead to landing overrun. 


of the node (characterized by the word YES). And the positive state represents the 
probability of not occurring the node; that is, the fault does not occur (character- 
ized by the word NO). The node in red represents the landing overrun, and its 
positive and negative states represent the probability of the accident occurring, 
given the factors of the developed network. 

According to field research and expert opinion, the tasks that require most pilots 
during approach and landing are listed below. On these tasks, a chain of dangerous 
events was also obtained, described in the development of the model as below: 


e decide if the aircraft continues to approach and/or landing (go-around); 
e landing briefing; 

e landing checklist; 

e control of aircraft parameters; 

e execution of the procedure drag on final approach; and 

e execution of the braking procedure (landing gear and reverse). 

It should be noted that this work is not intended to introduce the factors 
of each task and its probabilities in this example, but to present the accident 
model for the approach and landing phases related to the tasks performed by 
the pilots that can be visually understood. The TNO model includes the main 


tasks performed by the crew and the chain of dangerous events that can lead to 
landing overrun. 
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From this model, it is possible to obtain the relation between the factors that 
can influence the performance of the pilots, and therefore, this can indicate how 
this can impact in the success or failure of the tasks related to the procedures of 
approach and landing. For each of these tasks, it is possible to develop more focused 
studies and to obtain the organizational, environmental, human factors, and the 
main abilities around each one of them. One way to get the factors contributing to 
the negative state of each of these tasks was suggested in [28]. Once obtained, a way 
to develop the Bayesian network with these factors and to find the probability of 
each of the states, positive and negative, is in [71]. 

The main advantage of transforming the FTA model to BN is to verify the 
sensitivity of each of the nodes given the accident and to obtain their impact. 
It is also possible to obtain the probability of an accident occurring because an 
error occurred in some task, for example. This type of approach is only possible 
in BN, one of the advantages of using this method for risk analysis. Finally, the 
network data can be obtained by consulting specialists and/or obtained from the 
literature. 


4. Conclusions 


Human factors are the most important source of uncertainties of any model, 
though many techniques and computational tools arise in recent decades to deal 
with the complexity of sociotechnical systems. To be able to get a representative 
analysis of the real system, a systemic vision of process is required. However, to 
model operational procedures of a system, or its main tasks, is not an easy step. So, 
first it is important to know the system that is intended to be modeled, and then 
analyze the factors (and their relationships) that can contribute to an occurrence. 
For such information, a search in the literature and a research with pilots and 
accident investigators become extremely important. 

The proposed model was described and used to model the relationship between 
the main operational procedures performed by the flight crew and the pilots’ skills 
and to support the construction of a BN to quantitatively analyze the event of 
interest. Differently from other studies, the TNO model proposes a systematic and 
efficient way to organize the influence factors through an FTA and, consequently, 
to obtain a probabilistic analysis through a BN. The use of BN to find the most 
probable cause with the objective of identifying the most important factors and 
prioritizing the mitigation action is also an important contribution of this work. As 
far as we know, no other study has proposed a similar approach. 

It should be noted that factors related to component failures in aircraft 
systems are not being considered in the general model. This is because studies of 
failures in aeronautical equipment are already traditionally considered and mod- 
eled, besides presenting a low probability of occurrence. Therefore, the emphasis 
was placed on the human actions of pilots. Thus, our intention was to model one 
of the main tasks of the flight team considering factors that precede team error. 
This model must be able to obtain a representative analysis of the real system; a 
systemic view of the process is also needed. In this sense, this model of accident 
fills this gap. 

The results indicate subsidies to propose mitigating actions and can col- 
laborate with the management of air transport operational safety. The best way 
to improve the latter is to attack the most sensitive points. Thus, the factors 
highlighted in the analysis, once prioritized within the company, can promote 
the reduction of runway excursions during the landing procedure of medium 
and large aircraft. 
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